Resource access based on supervisory-subordinate relationship

ABSTRACT

A processing device includes processing circuitry and non-volatile storage configured to store management information that identifies supervisor-subordinate relationships among users. The processing circuitry receives a request from a first user, wherein the request includes a request to alter access rights of a second user to a network resource. The processing circuitry establishes authorization of the first user to request access to the network resource based on information included in a directory services database, and retrieves management information associated with the first user and the second user from the non-volatile storage. The processing circuitry determines whether a supervisor-subordinate relationship exists between the first user and the second user based on the management information associated with the first user and the second user, and alters the access rights of the second user to the network resource, at least partly in response to determining that the supervisor-subordinate relationship between the first user and the second user exists.

CROSS REFERENCE TO RELATED PATENTS

The present U.S. Utility Patent application claims priority pursuant to35 U.S.C. § 120 as a continuation of U.S. Utility application Ser. No.17/407,960 entitled “PROXY DEVICE THAT SELECTIVELY DISPATCHES RESOURCEREQUESTS,” filed Aug. 20, 2021, scheduled to issue as U.S. Pat. No.11,418,615 on Aug. 16, 2022, which is a continuation of U.S. Utilityapplication Ser. No. 17/101,356 entitled “SELECTIVELY TRANSFORMINGASSETS RETURNED BY A PROXY DEVICE,” filed Nov. 23, 2020, now U.S. Pat.No. 11,102,321 issued on Aug. 24, 2021, which is a continuation of U.S.Utility application Ser. No. 16/654,361 entitled “SERVICING ASSETREQUESTS VIA PROXY,” filed Oct. 16, 2019, now U.S. Pat. No. 10,855,790issued on Dec. 1, 2020, which is a continuation of U.S. Utilityapplication Ser. No. 16/186,213 entitled “PROXY-CONTROLLED REQUESTROUTING,” filed Nov. 9, 2018, now U.S. Pat. No. 10,484,496 issued onNov. 19, 2019, which is a continuation of U.S. Utility application Ser.No. 15/657,566 entitled “PROXY-CONTROLLED REQUEST ROUTING,” filed Jul.24, 2017, now U.S. Pat. No. 10,129,354 issued on Nov. 13, 2018, which isa continuation of U.S. Utility application Ser. No. 14/755,377 entitled“PLATFORM-AS-A-SERVICE WITH PROXY-CONTROLLED REQUEST ROUTING,” filedJun. 30, 2015, now U.S. Pat. No. 9,736,259 issued on Aug. 15, 2017, allof which are hereby incorporated herein by reference in their entiretyand made part of the present U.S. Utility Patent Application for allpurposes.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not applicable.

INCORPORATION-BY-REFERENCE OF MATERIAL SUBMITTED ON A COMPACT DISC

Not applicable.

BACKGROUND OF THE INVENTION 1. Technical Field of the Invention

This invention relates generally to controlling access to networkresources, and more particularly to controlling access to networkresources based on supervisory-subordinate relationships.

2. Description of Related Art

Many modern companies, organizations, or other entities aregeographically decentralized, having subsidiaries, affiliates, operatingunits, offices, or other entities located in widely separated geographicareas. In some cases, each individual entity maintains, and controlsaccess its own resources, for example data, web development tools, andmedia files, making sharing and controlling access to those resources byother entities complicated. In practice, this often results in minimalsharing of resources due to access security constraints.

In other instances, a parent company can attempt to centrally controlall shared resources. This can work well for organizations that impose arigid hierarchical structure, but can require huge costs and efforts toestablish and maintain centralized control over the shared resources. Inpractice, many resources may not be made available via the centrallycontrolled sharing mechanism due to cost and maintenance requirements,again resulting in minimal sharing of resources. Furthermore, differentusers associated with the individual entities may have individual needsthat lead to an unwieldy proliferation of resource management tools.

BRIEF SUMMARY OF THE INVENTION

The present invention is directed to apparatus and methods of operationthat are further described in the following Brief Description of theDrawings, the Detailed Description of the Invention, and the claims.Various features and advantages of the present invention will becomeapparent from the following detailed description of the invention madewith reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

FIG. 1 is a block diagram of an embodiment of a system, in accordancewith various embodiments of the present disclosure;

FIG. 2 is a block diagram illustrating a system including a proxy incommunication with a requestor device and an asset host, in accordancewith various embodiments of the present disclosure;

FIG. 3 is a flow chart illustrating a method of handling accessrequests, in accordance with various embodiments of the presentdisclosure;

FIG. 4 is a flow chart illustrating a method of transforming resourcesfor delivery to a requestor, in accordance with various embodiments ofthe present disclosure;

FIG. 5 is a representation of a graphical user interface presentingmanagement information associated with a first user, in accordance withvarious embodiments of the present disclosure;

FIG. 6 is a representation of a graphical user interface presentingmanagement information associated with a second user, who is asubordinate of the first user of FIG. 5 , in accordance with variousembodiments of the present disclosure;

FIG. 7 is a representation of a graphical user interface presentingmanagement information associated with a third user, who is asubordinate of the second user of FIG. 6 , in accordance with variousembodiments of the present disclosure; and

FIG. 8 is a flow diagram illustrating information flow between a client,a proxy, and a resource host in accordance with various embodiments ofthe present disclosure.

DETAILED DESCRIPTION OF THE INVENTION

In various embodiments, a user can request access to a resource,sometimes referred to herein as an asset, hosted at a server device. Theresource or asset can be an audio, video, text, or multimedia file, aprogram file such as a Hypertext Markup Language (HTML) or JavaScriptObject Notation (JSON) file, any of various downloadable or hostedtools, for example a source code tool, a compiler or other programmingtool, an editing tool, a website development tool, a media broadcastingtool, or the like.

The resource request can be received by a proxy, which determineswhether or not to forward the request to the server hosting theresource. The determination made by the proxy can include performing amulti-stage authentication and authorization process that uses directoryinformation obtained from one source, and management informationobtained from another source. The directory information can be used bythe proxy to determine whether the requestor is an authorized networkuser. If the requestor is an authorized network user, the proxy can usethe management information to determine whether or not the requestor isauthorized to access the requested resource. Assuming that both portionsof the test are satisfied, the proxy can forward the request to theresource host for servicing.

In some embodiments, once the request has been forwarded to the resourcehost, the proxy can be removed from the process, and the requestor andthe host can communicate directly with each other without requiringproxy intervention. In other embodiments, however, the resource hostprovides the requested resource to the requestor via the proxy. In somesuch implementations, the proxy can transform the resource from a formator configuration used by the resource host into a different format orconfiguration used by the device that sent the request. For example, theproxy can generate a transformed resource file by transforming a baseresource file received from a resource host. The base resource file canbe transformed by using pipeline language parameters included in a URLassociated with the access request to create a set of functions to beapplied in series. In some embodiments the URL to which the request issent can include embedded pipeline language parameters or instructions.These pipeline language parameters can include information indicating anecessary format, or a format in which the requesting device wouldprefer to receive the resource.

Requesting access to a resource can include requesting write access, sothat the resources stored in one or more resource hosts can be modifiedor added by individual users, and shared by other users. The resourcescan be stored using a versioning system in some embodiments.Furthermore, the management information that indicates a user'sauthorization to access particular resources can be shared with otheruser's in a “what you have you can grant” paradigm, without requiringthe user granting access to have elevated access authority. For example,even if a user does not have administrator-level access, that user cangrant to users designated as his subordinates some or all of the accessassigned to the user. This can facilitate non-centralized granting andrestricting access authority.

Referring to FIG. 1 , a system 100 will be discussed according tovarious embodiments of the present disclosure. System 100 includes proxy110, Relay 120, Resource Host A 130, Resource Host B 140, Station A 150,Station B 160, and Global Directory Services 170. Relay 120 can includeProcessing Module 124, Management Information Data Store 122, andRouting Information Database 126. Resource Host A 130 can includeprocessing module 134 and resource storage 132. Resource Host B 140 caninclude Processing Module 144 and HTTP Database (DB) 142. Station A 150can include Local Directory Services A 156, User1 152, and User2 154.Station B 160 can include Local Directory Services B 166, User3 162, andUser4 164.

Station A 150 and Station B 160 can be affiliated entities of a largerorganization, entity, corporation, company, etc. For example, Station A150 and Station B 160 can be local broadcast or Internet radio stationsaffiliated with a regional, national, or international radiobroadcasting company or another media entity. In some embodiments,Station A 150 and Station B 160 can be affiliated with each other in abroad, or general sense, even if not considered to be “affiliates” inthe strictest sense. For example, Station A 150 and Station B 160 may beloosely connected by a formal or informal agreement or contract. In someembodiments, Station A 150 and Station B 160 can be considered to beaffiliated if they share access to common resources hosted by ResourceHost A 130 or Resource Host B 140, or if they share common directoryservices, such as Global Directory Services 170.

In at least one embodiment, Station A 150 and Station B 160 each usesits own local directory services, Local Directory Services A 156 andLocal Directory Services B 166, to control access to internal networkresources. For example, Station A 150 can use Local Directory Services A156, which can include a Lightweight Directory Access Protocol (LDAP),for example a Microsoft® Active Directory®, to control the access ofUser1 152 and User2 154 to various network resources. Similarly, StationB 160 can use Local Directory Services B 156 can use a LightweightDirectory Access Protocol (LDAP), for example, Apache Directory®, tocontrol the access of User3 162 and User4 164 to various networkresources. As used herein, the term “directory services” refers to a setof one or more processes or services used to authenticate and authorizeusers in a network or subnetwork by assigning and enforcing securitypolicies. For example, when a user attempts to log onto a computerdomain, a directory service can be used to verify that the user is anauthorized network user by verifying a password entered by the user. Thedirectory service can also be used to determine a user type, for example“administrator” or “user.”

In some embodiments, Global Directory Services 170 is controlled byStation A 150, by Station B 160, by proxy 110, or by another entity (notillustrated), for example a parent organization, of which Station A 150and Station B 160 are affiliates. Global Directory Services 170 can, insome embodiments, obtain and store directory information from either orboth of Local Directory Services A 156 and Local Directory Services B166. In some implementations, Global Directory Services 170 alsoincludes additional directory information not included in either LocalDirectory Services A 156 or Local Directory Services B 166. For example,Global Directory Services 170 can include directory informationassociated with other affiliates or related entities, in addition todirectory information associated with parent entity users.

In various embodiments, the information in Global Directory Services 170is unique to itself, and does not replicate information included fromLocal Directory Services A 156 and Local Directory Services B 166. Otherembodiments can use directory information in Global Directory Services170 to populate the directory information in Local Directory Services A156 and Local Directory Services B 166. In some such embodiments, someor all of the directory information in Global Directory Services 170 canbe transmitted to Local Directory Services A 156 for replication andstorage, and some or all of the directory information in GlobalDirectory Services 170 is transmitted to Local Directory Services B 166for replication and storage.

In some embodiments, Proxy 110 can obtain directory information from anyor all of Global Directory Services 170, Local Directory Services A 156,and Local Directory Services B 166 for use in determining whether a userrequesting access to a shared resource is an authorized network user. Insome embodiments, only authorized network users are permitted to submitrequests for access to resources, and if directory information does notindicate that a requestor is an authorized network user, any requestsubmitted can be ignored, rejected, generate an error message deliveredto the unauthorized requestor, or initiate an access-violation response.For example, a URL associated with a request by an unauthorized user canbe reported to Global Directory Services 170, Local Directory Services A156, Local Directory Services B 166, or to another network monitoringdevice. In some embodiments, in response to receiving one or moreunauthorized access notifications from Proxy 110, any of the directoryservices can freeze the account of the requestor for a predeterminedperiod of time, or initiate an elevated authentication protocol.

Proxy 110 can, in some embodiments, maintain its own directory servicesdatabase (not separately illustrated), and synchronize the proxy'sdirectory services database with one or more other directory servicesdatabases, and use the information in the synchronized proxy directoryservices database for decision making purposes. For example, Proxy 110can maintain Global Directory Services 170 by periodically obtainingupdated directory information from Local Directory Services A 156 andLocal Directory Services B 166, and storing the combined directoryinformation in a database used by Global Directory Services 170. Ratherthan maintaining its own directory services database, Proxy 110 can, insome embodiments, query Global Directory Services 170, Local DirectoryServices A 156, or Local Directory Services B 166 each time a resourcerequest is received at Proxy 110.

Proxy 110 can also obtain management information from Relay 120. Themanagement information can be used by Proxy 110 to grant or deny theresource request. In at least one embodiment, the user managementinformation includes role information indicating roles assigned to oneor more users, subordinate user information indicating subordinateusers, and by extension supervisors to which the subordinate users areassigned, access authorization information indicating resources to whichparticular users have access, and source-of-rights informationindicating whether a user's access authorizations were granted byanother user, and if so which user granted that access authorization. Insome embodiments that use multiple, non-duplicated directory servicesfor different users or entities, management information can also includeinformation indicating which directory service the proxy should contactfor information about whether a requestor is an authorized network user.

The management information obtained from Relay 120 can also be used todetermine whether a user attempting to grant access to, or remove accessfrom, another user is allowed to do so. As mentioned above, someembodiments operate on a “what you have you can grant” paradigm,referring to the ability of a first user to grant a second user accessto resources the first user is authorized to access. In some suchembodiments, the ability to grant access can be limited tosupervisor-subordinate relationships. For example, a supervisor can beallowed to grant his subordinates authorization to access to any or allof the resources the supervisor herself is authorized to access. In somesuch embodiments, Proxy 110 can use the role information and thesubordinate user information to determine whether a particular user isallowed to grant another user access to a particular resource, or toassign another user to a particular role, or conversely whether the useris allowed to restrict another user.

In addition to obtaining management information from Relay 120, anddirectory information from Global Directory Services 170, LocalDirectory Services A 156, or Local Directory Services B 166, Proxy 110can also obtain routing information from Routing Information Database126. Routing information can include a network address from which aparticular resource is available, such as the network address ofResource Host A 130 or Resource Host B 140. For example, if a messagereceived at Proxy 110 requests access to a particular version of aparticular media file, Proxy 110 can use the routing information todetermine that the requested resource, or asset, is maintained in HTTPDatabase 142, hosted by Resource Host B 140. If Proxy 110 determinesthat the requested access is authorized, Proxy 110 can route the requestto Resource Host B 140. In some embodiments, Proxy 110 can temporarilystore the request and forward the request to an appropriate addressdetermined based on the routing information. In other embodiments, Proxy110 can repackage, revise, or encapsulate and re-transmit the request sothat the destination host, in this example Resource Host B 140, deliversits response to Proxy 110.

Referring next to FIG. 2 , a system 200 including a Proxy 210 incommunication with Requestor Device 250 and Asset Host 260 will bediscussed in accordance with various embodiments of the presentdisclosure. Proxy 210 includes Communications Interface 240, which canbe a wired or wireless interface configured to allow Proxy 210 tocommunicate via communications network such as the Internet; RequestHandling Module 230, which in turn includes LDAP Module 235, RoutingModule 233, and User Management Module 231; and Resource TransformationModule 220, which includes Extraction Module 225, Transformation Module223, and Parameter/Function Storage 221.

Requestor Device 250 can be a computer terminal, smart phone, laptop,tablet, or other device used by a requestor to send an Asset Request 251to Proxy 210, where the asset request can include a request access to anasset available from Asset Host 260, which can be a collection of one ormore server device that stores assets, or resources, in a database orother storage construct within physical memory. The asset request caninclude a uniform resource locator (URL), or other network addressassociated with the requested asset. The URL can be part of the request,but does not necessarily designate the current network address at whichthe requested asset is located. In at least some embodiments, the URLcan be used to designate a particular asset, and a particular version ofthe asset. In some embodiments, the URL can also include pipelinelanguage parameters that specify a format, encoding, and/or encryptiontype in which Requestor Device 250 expects to receive the asset. AssetRequest 251 also includes, in some embodiments, information identifyinga requestor associated with Asset Request 251, which can includeinformation about the requestor's network credentials.

Asset Request 251 is received at Communications Interface 240, and canbe routed to Request Handling Module 230 and Resource TransformationModule 220. LDAP Module 235 can obtain directory information from adirectory services database to determine if Asset Request 251 is from anauthorized network user. LDAP Module 235 can obtain the directoryinformation and compare the information about the requestor'scredentials with the directory information to make a determinationregarding whether the requestor is an authorized network user.Alternatively, LDAP Module 235 can query a directory services server anddetermine whether the user is an authorized network user based on aresponse from directory services server. In some embodiments, arequestor is determined to be an authorized network user if therequestor is a member of a particular computer domain, workgroup, orother security group known to the directory services server, or if thedirectory information otherwise indicates that the requestor isauthorized to communicate with Proxy 210 via a network to whichCommunications Interface 240 is connected.

If the requestor is determined to be an authorized network user, UserManagement Module 231 can be used to check user management informationassociated with the requestor to verify that the requestor is authorizedto access the requested asset, or resource. For example, the managementinformation may indicate a requestor is assigned to a role that isauthorized to download a current version of an HTML document, but not toa role authorized to store changes to that same HTML document. In thisexample, if Asset Request 251 simply requests downloading the HTMLdocument, the request will be forwarded to Asset Host 260, but if AssetRequest 251 is a write request, Asset Request 251 will be denied. Insome cases, a denied asset request can be simply discarded. However, inother embodiments an error notification, or a “Request Denied” responsecan be delivered from Proxy 210 to Requestor Device 250. In yet otherembodiments, denied requests are tracked, and when a threshold number ofrequests are denied, heightened authentication or other securitymeasures can be implemented.

For purposes of this example, assume that Asset Request 251 passes themulti-level authentication and authorization process implemented LDAPModule 235 and User Management Module 231. In that case, Routing Module233 can be used to obtain information about the current location andstatus of the requested asset, and Routed Asset Request 241 can betransmitted to Asset Host 260, via Communications Interface 240. Inresponse to receiving Routed Asset Request 241, Asset Host 260 processesthe request, and in some embodiments delivers Requested Asset 261 toProxy 210. In other embodiments, Asset Host 260 can transmit therequested asset directly to Requestor Device 250 via an AlternateCommunications Link 262, bypassing Proxy 210.

For embodiments in which Asset Host 260 delivers Requested Asset 261 toProxy 210, Requested Asset 261 can be transformed using ResourceTransformation Module 220. Resource Transformation Module 220 can useExtraction Module 225 to extract pipeline language parameters from theURL included in the original request. For example, if the request URLincludes the following: “http://subdomain.hostdomain.com/fit(100,100)/fit(75,75)/bar(5,5)/ . . . , Extraction Module 225 can readthe URL, extract the pipeline parameters “fit(100,100),” “fit(75,75),”and “bar(5,5),” and store the extracted pipeline parameters inParameter/Function Storage 221. Upon receiving Requested Asset 261 fromAsset Host 260, Transformation Module 223 can retrieve the storedpipeline parameters and apply the transform commands to Requested Asset261, in the same order indicated in the URL, to generate TransformedAsset 242. In this example, Transformation Module 223 will fit the imageinto a 100-pixel square; then a 75-pixel square; then run the “bar”function with parameters 5 and 5. Proxy 210 can then transmitTransformed Asset 242 to Requestor Device 250.

Referring next to FIG. 3 , a method 300 will be discussed in accordancewith various embodiments of the present disclosure. As illustrated byblock 303, a user request for access to a resource is received, forexample at a proxy. As illustrated by block 305, directory informationfor the requestor is obtained or otherwise accessed from a directoryservice. As illustrated by block 307, a check is made to determinewhether the user sending the request is an authorized network user whois allowed to communicate with the proxy or other device fielding theuser request. If the user is not an authorized network user, the requestis denied, as illustrated at block 309. If the determination at block307 indicates that the user is an authorized network user, the proxy orother device handling the user request obtains management information,as illustrated by block 311.

As illustrated by block 313, a check is made to determine whether themanagement information indicates that the user requesting the resourceis authorized to access the requested resource. Authorization can bedetermined at a per-resource level in some embodiments, so for example,a requesting user can have access to product ID 10, but not product ID11. Access can be further granulized to account for differing versionsof a particular asset. If the check at block 313 indicates that accessis authorized, the request can be routed to the resource host, asillustrated at block 315. Routing the request, as illustrated by block315, can include obtaining routing information from a relay database.The routing information can include specific routes to a host, hostresolution, security information indicating security requirements forparticular addresses, or the like.

In some embodiments, the determination made at block 313 can includedeterminations at both an application level and a resource level. Forexample, the management information may indicate that a requesting useris assigned a role that allows the user to access a particular hostedapplication that can be used to modify media files of a given type. Forpurposes of this example, assume further that the user has been assigneda role that permits modification of some, but not all media files. Thecheck made at block 313 can check to see if the request requires use ofthe hosted application, and further check to see if the request requiresmodification of a modification-prohibited asset. If both theapplication-level and resource-level (or asset-level) check arefavorable, the request can be routed to the resource host, asillustrated by block 315. In this example, if either theapplication-level or the resource-level determinations are unfavorable,the request is denied, as illustrated by block 309.

Referring next to FIG. 4 a method 400 will be discussed in accordancewith various embodiments of the present disclosure. As illustrated atblock 401, a request for authorization to use a resource or asset isreceived, for example at a proxy device. As illustrated by block 403,pipeline language parameters can be extracted from a URL associated withthe request for authorization. These pipeline language parameters can beincluded in the URL used to transmit the request to the proxy, or can beincluded in a URL that is part of the transmitted request. In at leastone embodiment, the pipeline language parameters can be executed inorder to transform a requested asset into a desired form.

As illustrated at block 405, the extracted parameters can be stored forlater use in transforming the requested asset. In some embodiments, allor a portion of the URL itself can be stored, and extraction of thepipeline language parameters can be performed at the time the requestedasset is received from the host providing the asset.

As illustrated by block 407, the request is processed and routed to thehost of the requested asset, as discussed with reference to FIG. 3 . Thehost processes the request, and returns the requested asset to theproxy, as illustrated by block 409. In at least one embodiment, therequested resource or asset is delivered to the proxy in a standardizedformat, having particular characteristics, selected based on asset type,or in a file specific format and resolution.

The characteristics of the requested asset can be compared to thecharacteristics indicated by the pipeline language parameters, asillustrated by block 411. A check can then be performed at block 413,based on the results of the comparison, to determine if the requestedresource requires transformation. In some cases, no pipeline languageparameters may be specified, in which case the result of thedetermination at block 413 could indicate that no transformation wasrequired. Alternatively, the results of the comparison at block 411 mayindicate that the characteristics of the requested resource do not matchthe characteristics specified by the pipeline language parameters,causing the determination at block 413 to indicate that transformationof the requested resource is required.

For example, the pipeline language parameters extracted from the URL atblock 403 might specify that a requested image file should fit within aparticular number of pixels. The comparison at block 411 and the checkat block 413 could indicate that the requested image already fits withinthe number of pixels specified by the pipeline language parameters, andthat no transformation is necessary. If, however, the comparison atblock 411 indicates that the requested image file cannot be fit withinthe number of pixels indicated by the pipeline language parameters, thecheck at block 413 would indicate that transformation was required.

As illustrated by block 415, if it is determined at block 413 thattransformation is required, the requested asset can be transformed inaccordance with the pipeline language parameters included in the URL.Note that in some embodiments, pipeline language instructions areexecuted to transform the requested asset or resource using the pipelinelanguage parameters included in the URL, regardless of whether therequested asset needs to be transformed or not.

If no transformation is required, as indicated by the determination atblock 413, the untransformed resource can be transmitted to therequestor at block 417. Similarly, the transformed resource can betransmitted to the requestor. In various embodiments, transmission ofthe transformed resource occurs after transformation of part, or all ofthe requested resource has been completed.

Referring next to FIGS. 5-7 , decentralized delegation of accessauthority will be discussed according to various embodiments of thepresent disclosure. Beginning with FIG. 5 , a graphical user interface(GUI) 500 presenting management information associated with a first useris discussed in accordance with various embodiments of the presentdisclosure. GUI 500 includes User Info Area 510, Manages Area 520, RolesArea 550, Tool Access Area 570, and Delegation Object 580. Variousembodiments of the present disclosure can be implemented using any ofvarious GUIs displaying various categories and sub-categories ofmanagement information that can be used by a proxy, in conjunction withdirectory information and routing information, to conditionally routeresource requests to servers or other devices hosting shared resourcesand assets.

Management information displayed in User Info Area 510 can includeinformation about a particular authorized network user, as indicated bydirectory information obtained from global or local directory services.This information can include standard contact information, including aname, a picture, a job title, a job area, an email address, a workaddress, one or more phone numbers, and other similar information.

Manages Area 520 can be used to display a portion of the subordinateuser information identifying subordinate users, i.e., users that thecurrently displayed user supervises or otherwise manages. Generally,although not always, these users are also authorized network users asdetermined by directory information obtained from a directoryinformation server. Although illustrated as a simple list, Manages Area520 can be displayed in some embodiments as an organizational chart,showing not only subordinate users, but also supervising users. In theillustrated embodiment, Manages Area can display a list of all, or somesubset of all, users that could potentially be assigned as subordinatesof the currently displayed user, with actually assigned subordinatesbeing indicated by checkmarks next to a user's name.

Roles Area 550 can be used to display a listing of all possible roles towhich the currently displayed user is assigned. As illustrated,checkmarks are used to indicate roles to which the currently displayeduser is actually assigned. Tool Access Area 570 can be used to display alist of all potential tools to which the currently displayed user hasauthority to access. Again, the illustrated embodiment uses checkmarksto indicate actually assigned tool access. Other techniques ofhighlighting or displaying information can be used consistent withvarious embodiments of the present disclosure.

Delegation Object 580 can be used to configure GUI 500 to receive userinput associated with assigning a listed subordinate a role or access toa tool. In some embodiments, Delegation Object 580 can be displayed onGUI 500 when the currently displayed user has at least one subordinate.Selecting Delegation Object 580 can, in some embodiments, allow a userdisplaying his own management information to select one or more of hisassigned subordinates for delegation or assignment of one or more rolesor tool access. It will be appreciated that various well-known displayand input mechanisms can be used in place of, or in addition to,Delegation Object 580 without departing from the spirit and scope of thepresent disclosure.

GUI 500, as illustrated, displays some, but not all, managementinformation that can be used by a proxy to conditionally route requeststo a resource or asset host. The significance and use of the differenttypes of information displayed in GUI 500 will now be discussed in moredetail, according to various embodiments.

In general, each known user is assigned zero or more roles; is seeded inthe system with zero or more subordinate users; and is granted access tozero or more tools. Assume for purposes of this discussion that thecurrently displayed user, John Doe, has been seeded with the illustratedsubordinates, roles, and tool access. Roles can be used to provideparticular multiple different users with similar access to particularassets or groups of assets. For example, the role of Developer, can beassigned to users who require access to multiple different versions ofprograms, websites, media items, or other assets in various stages ofdevelopment. For example, a developer may require access to program codein each of the following environments: unit test, development, producttest, regression, and production. By contrast a Standard User might haveno need at all for access to program code, but could require the abilityto insert or remove standardized content into or from a website. ToolAccess can refer to applications or components that various users mayneed to build websites, insert advertisements, create or modifycontests, manage hosted assets, or the like. In general, the roles canbe used to refer to what a user does, and the tool access can refer tothe tools needed to perform certain actions. In various embodiments,access to a particular file can depend on both assigned roles and toolaccess.

Referring next to FIG. 6 , a graphical user interface (GUI) 600displaying management information associated with a second user, who isa subordinate of the first user, John Doe, associated with theinformation displayed in FIG. 5 , is discussed in accordance withvarious embodiments of the present disclosure. GUI 600 includes UserInfo Area 610, Manages Area 620, Roles Area 650, and Tool Access Area670, each of which is similar to corresponding portions of GUI 500,which have been previously described. Assume for purposes of thefollowing examples that James Kirk was initially seeded into the systemwith zero roles, zero subordinate users; and zero authorized tools.

In at least one embodiment, a supervisor is able to confer or grantauthority to one or more of his subordinate users to the extent thesupervisor himself has been granted authority. For example, as shown inFIG. 5 , John Doe has been assigned roles as follows: AB Tester PowerUsers, Developers, Power Users, SMT Power Users, Schedules Power Users,Standard Users, and System Administrators. Thus, John Doe can confer anyof these roles to James Kirk, because James Kirk is a subordinate ofJohn Doe.

In FIG. 6 , it can be seen that John Doe has conferred some, but notall, of his own roles to James Kirk, his subordinate: AB Tester PowerUsers, Developers, Power Users, and SMT Power Users. Similarly, John Doehas granted James Kirk access to the following tools: AB Tester, AMPHosts Tool, AMP KT Dev, Ads Wizz Configurator, Buckets, and Catalog.

Conferring, or granting, access to a Role or Tool Access can be apermanent until deleted in some embodiments, and can remain active evenif the supervisor's roles or tool access changes. Thus, if John Doe isremoved from the AB Power User role, James Kirk can keep that role, eventhough John Doe no longer has the authority to grant that access. Inother embodiments, however, access to tools or roles by a subordinatelasts only as long as the supervisor that granted access maintainsaccess himself. Thus, in some embodiments if John Doe's access to theBuckets tool is removed, James Kirk also loses access to the Buckettool, and access to any resources that require use of the Bucket tool.

It should be appreciated that, in some embodiments, no elevated accessis required to grant roles or tool access. That is to say, it is notnecessary in some implementations to have administrator or otherelevated rights to assign a subordinate roles or tool access. This “whatyou have you can grant” paradigm can help avoid the necessity of havingto wait for a limited group of users having “super-access” rights beforea subordinate can be provided with the necessary access to perform hisjob. This paradigm can be valuable, in loose hierarchical situations, orin situations where broadly scattered and remotely located entities eachdesire the ability to grant access to their own assets without seekingapproval from a centralized authority.

Referring next to FIG. 7 , a graphical user interface (GUI) 700displaying management information associated with a third user, who is asubordinate of the second user, James Kirk, of FIG. 6 , in accordancewith various embodiments of the present disclosure. GUI 700 includesUser Info Area 710, Manages Area 720, Roles Area 750, and Tool AccessArea 770, each of which is similar to corresponding portions of GUI 500,which have been previously described. As illustrated by FIG. 7 , WesleyCrusher, who is a subordinate of James Kirk (FIG. 6 ), has been grantedthe roles of SMT Power Users and Standard Users, and access to the ABTester tool, by James Kirk. Note that in some embodiments, becauseWesley Crusher is not assigned any subordinates, and he therefore cannotdelegate roles or tool access to any other user.

In some embodiments, access to particular assets, can also be granted toparticular users in addition to roles and tool access, and assigned bythose users to their subordinates. A proxy can be used to control asupervisor's delegation, or assignment of roles, tools, or other assets.For example, GUIs 500, 600, and 700 can each be configured to acceptuser input by adding an “assign” or “delegate” button, dropdown menu,sub-screen, pop-up window, or the like. In response to a user attemptingto assign rights to another user, an assignment request message can besent to the proxy, requesting the proxy to send the managementinformation changes to a relay or other device used to store managementinformation. The proxy can check the subordinate information included inthe management information to determine if the target of the delegationor assignment of rights is assigned as a subordinate of the requestinguser. If so, the proxy can store the changed management information. Ifthe user receiving the assignment is not an assigned subordinate of therequesting user, the request can be denied.

Referring next to FIG. 8 , an information flow 800 between a ClientDevice 810, a Proxy 820, and a Resource Host 830 will be discussed inaccordance with various embodiments of the present disclosure. Invarious embodiments some or all of the resources or assets are accessedvia service components such as software containers or virtualized userspaces, such as those implemented by Docker®. In some such embodiments,Proxy 820 knows the state (e.g., running, available, offline, busy,etc.) of each instance of each container and container type, along withan alias to the primary instance of each container, which can be usedfor request routing. Thus, Proxy 820 can verify that resource requestscomply with various security policies, verify the container and/orcomponent to which the resource request is directed, locate the primaryinstance of that container and/or component, and dispatch the resourcerequest to the appropriate instance of the appropriate component.

Information flow 800 illustrates source and version control techniquesthat can be used in conjunction with various shared assets andresources. For example, a Client Device 810 can be used to send a LoadResource Request 803 to Proxy 820, which processes and forwards therequest to verify that a requestor is authorized to perform therequested action in conjunction with the resource, for example, read aresource, modify a resource, delete a resource, or add a resource. Forpurposes of this discussion, it will be assumed that a requestor has therequired level of resource access via Client Device 810.

As illustrated in information flow 800, Client Device 810 transmits LoadResource Request 803 to Proxy 820, which in turn routes Load ResourceRequest 803 to Resource Host 830. In this example, the resourcerequested in Load Resource Request 803 is Asset 833, which can beidentified in the system using a reference identifier derived using ahash function, for example “a3021f” in the case of Asset 833. Assets andresources can also be tagged, for example to maintain version control.In the illustrated embodiment, Asset 833 is associated with Tag 840,which identifies Asset 833 as a HEAD version, referring to the fact thatAsset “a3021f” 833 is the newest, or most recently updated version ofthe requested resource. Other possible tag types include “LIVE,”“PENDING_APPROVAL,” “BETA,” or similar tags indicating a particularstate of the asset. Tags can be used to provide platform-wide auditingof resources.

In some embodiments, a developer or other user may choose not to keep aversioning history of various resources. In some such embodiments, a“WORKING COPY” tag can be associated with a resource, indicating to theResource Host 830 or other users that the resource is not a “versionedresource.” When a user submits a change to a resource associated with aWORKING COPY tag, the Resource Host 830 can simply overwrite theprevious version, without saving and tracking a new version.

Resource Host 830 can respond to Load Resource Request 803 by providingaccess to Asset 833 via a Payload Response 805 to Proxy 820, which canforward the Payload Response 805 to Client Device 810 with or withoutfirst transforming the requested resource. Client device 810 can modifythe requested resource, and transmit a Modify and Save Request 807 toProxy 820. The Modify and Save Request 807 can be processed by Proxy820, and routed to Resource Host 830. A new identifier for the modifiedversion of the resource can be calculate, for example using a Hashfunction to arrive at “f32gde”, and Resource Host 830 can store themodified resource as Asset 835. Note that because Asset 835 is now themost recent version, Asset 835 is associated with Tag 842, indicatingthat Asset 835 is now the HEAD. Although not illustrated, when Asset835, which in this example is a modified version of the requested asset,is tagged as a HEAD version, TAG 840, which is associated with theunmodified version of the requested asset can be modified to indicate,for example, “VERSION-1”, to indicate that Asset 835 is the version ofthe requested resource immediately preceding the current HEAD version ofthe requested asset.

Various embodiments also allow a user, via client device 810, tomanually add a reference tag to an asset. For example, Add RefInstruction 809 can be sent from client device 810 to Resource Host 830.In response to Add Ref Instruction 809, Resource Host 830 can associateRef Tag 844 with Asset 837. Ref Tag 844 can be a standard versionidentifier, or custom reference identifier, for example a tagidentifying Asset 837 as a “working copy.”

It will be appreciated by those of ordinary skill in the art thatalthough the present disclosure refers to radio stations in describingvarious embodiments, other embodiments, not limited to radio stations,can also be implemented consistent with the teachings set forth herein.

As used herein, the terms “resource” and “asset” are usedinterchangeably, and unless otherwise explicitly indicated or requiredby context, refer to files, programs, applications, data, and otheritems that can be stored in a tangible computer readable storage medium.

As may be used herein, the terms “substantially” and “approximately”provide an industry-accepted tolerance for its corresponding term and/orrelativity between items. Such an industry-accepted tolerance rangesfrom less than one percent to fifty percent and corresponds to, but isnot limited to, component values, integrated circuit process variations,temperature variations, rise and fall times, and/or thermal noise. Suchrelativity between items ranges from a difference of a few percent tomagnitude differences. As may also be used herein, the term(s)“configured to”, “operably coupled to”, “coupled to”, and/or “coupling”includes direct coupling between items and/or indirect coupling betweenitems via an intervening item (e.g., an item includes, but is notlimited to, a component, an element, a circuit, and/or a module) where,for an example of indirect coupling, the intervening item does notmodify the information of a signal but may adjust its current level,voltage level, and/or power level. As may further be used herein,inferred coupling (i.e., where one element is coupled to another elementby inference) includes direct and indirect coupling between two items inthe same manner as “coupled to.” As may even further be used herein, theterm “configured to,” “operable to,” “coupled to,” or “operably coupledto” indicates that an item includes one or more of power connections,input(s), output(s), etc., to perform, when activated, one or more itscorresponding functions and may further include inferred coupling to oneor more other items. As may still further be used herein, the term“associated with,” includes direct and/or indirect coupling of separateitems and/or one item being embedded within another item.

As may be used herein, the term “compares favorably,” indicates that acomparison between two or more items, signals, etc., provides a desiredrelationship. For example, when the desired relationship is that signal1 has a greater magnitude than signal 2, a favorable comparison may beachieved when the magnitude of signal 1 is greater than that of signal 2or when the magnitude of signal 2 is less than that of signal 1.

The term “module” is used in the description of one or more of theembodiments. A “module,” “processing module,” “processing circuit,”“processor,” and/or “processing unit” may be a single processing deviceor a plurality of processing devices. Such a processing device may be amicroprocessor, micro-controller, digital signal processor,microcomputer, central processing unit, field programmable gate array,programmable logic device, state machine, logic circuitry, analogcircuitry, digital circuitry, and/or any device that manipulates signals(analog and/or digital) based on hard coding of the circuitry and/oroperational instructions. The processing module, module, processingcircuit, and/or processing unit may be, further include, memory and/oran integrated memory element, which may be a single memory device, aplurality of memory devices, and/or embedded circuitry of anotherprocessing module, module, processing circuit, and/or processing unit.Such a memory device may be a read-only memory, random access memory,volatile memory, non-volatile memory, static memory, dynamic memory,flash memory, cache memory, and/or any device that stores digitalinformation. Note that if the processing module, module, processingcircuit, and/or processing unit includes more than one processingdevice, the processing devices may be centrally located (e.g., directlycoupled together via a wired and/or wireless bus structure) or may bedistributedly located (e.g., cloud computing via indirect coupling via alocal area network and/or a wide area network). Further note that if theprocessing module, module, processing circuit, and/or processing unitimplements one or more of its functions via a state machine, analogcircuitry, digital circuitry, and/or logic circuitry, the memory and/ormemory element storing the corresponding operational instructions may beembedded within, or external to, the circuitry comprising the statemachine, analog circuitry, digital circuitry, and/or logic circuitry.Still further note that, the memory element may store, and theprocessing module, module, processing circuit, and/or processing unitexecutes, hard coded and/or operational instructions corresponding to atleast some of the steps and/or functions illustrated in one or more ofthe Figures. Such a memory device or memory element can be included inan article of manufacture.

One or more embodiments of an invention have been described above withthe aid of method steps illustrating the performance of specifiedfunctions and relationships thereof. The boundaries and sequence ofthese functional building blocks and method steps have been arbitrarilydefined herein for convenience of description. Alternate boundaries andsequences can be defined so long as the specified functions andrelationships are appropriately performed. Any such alternate boundariesor sequences are thus within the scope and spirit of the claims.Further, the boundaries of these functional building blocks have beenarbitrarily defined for convenience of description. Alternate boundariescould be defined as long as the certain significant functions areappropriately performed. Similarly, flow diagram blocks may also havebeen arbitrarily defined herein to illustrate certain significantfunctionality. To the extent used, the flow diagram block boundaries andsequence could have been defined otherwise and still perform the certainsignificant functionality. Such alternate definitions of both functionalbuilding blocks and flow diagram blocks and sequences are thus withinthe scope and spirit of the claimed invention. One of average skill inthe art will also recognize that the functional building blocks, andother illustrative blocks, modules, and components herein, can beimplemented as illustrated or by discrete components, applicationspecific integrated circuits, processors executing appropriate softwareand the like or any combination thereof.

The one or more embodiments are used herein to illustrate one or moreaspects, one or more features, one or more concepts, and/or one or moreexamples of the invention. A physical embodiment of an apparatus, anarticle of manufacture, a machine, and/or of a process may include oneor more of the aspects, features, concepts, examples, etc. describedwith reference to one or more of the embodiments discussed herein.Further, from figure to figure, the embodiments may incorporate the sameor similarly named functions, steps, modules, etc. that may use the sameor different reference numbers and, as such, the functions, steps,modules, etc. may be the same or similar functions, steps, modules, etc.or different ones.

Unless specifically stated to the contra, signals to, from, and/orbetween elements in the figures presented herein may be analog ordigital, continuous time or discrete time, and single-ended ordifferential. For instance, if a signal path is shown as a single-endedpath, it also represents a differential signal path. Similarly, if asignal path is shown as a differential path, it also represents asingle-ended signal path. While one or more particular architectures aredescribed herein, other architectures can likewise be implemented thatuse one or more data buses not expressly shown, direct connectivitybetween elements, and/or indirect coupling between other elements asrecognized by one of average skill in the art.

While particular combinations of various functions and features of theone or more embodiments have been expressly described herein, othercombinations of these features and functions are likewise possible. Thepresent disclosure of an invention is not limited by the particularexamples disclosed herein and expressly incorporates these othercombinations.

What is claimed is:
 1. A processing device comprising: a processingcircuitry including a processor and associated memory; non-volatilestorage configured to store management information including informationidentifying supervisor-subordinate relationships among users; theprocessing circuitry configured to: receive a request from a first user,wherein the request includes a request to alter access rights of asecond user to a network resource; establish authorization of the firstuser to request access to the network resource based on informationincluded in a directory services database; retrieve managementinformation associated with the first user and the second user from thenon-volatile storage; determine whether a supervisor-subordinaterelationship exists between the first user and the second user based onthe management information associated with the first user and the seconduser; and alter the access rights of the second user to the networkresource at least partly in response to determining that thesupervisor-subordinate relationship between the first user and thesecond user exists.
 2. The processing device of claim 1, wherein theprocessing circuitry is further configured to: subsequent to alteringthe access rights of the second user, determine that thesupervisor-subordinate relationship has been terminated; and revertingthe access rights of the second user to the network resource to apre-altered state in response to termination of thesupervisor-subordinate relationship.
 3. The processing device of claim1, wherein the processing circuitry is further configured to: subsequentto altering the access rights of the second user, determine that thesupervisor-subordinate relationship has been terminated; and in responseto termination of the supervisor-subordinate relationship, leave theaccess rights of the second user to the network resource unchanged. 4.The processing device of claim 1, wherein: altering the access rights ofthe second user includes granting access to the network resource.
 5. Theprocessing device of claim 4, wherein the processing circuitry isconfigured to limit access rights granted to the second user to a subsetof the access rights possessed by the first user.
 6. The processingdevice of claim 1, wherein the processing circuitry is furtherconfigured to: identify, based on the management information, which of aplurality of non-duplicated directory services databases is to bequeried to obtain information indicating whether a requestor is anauthorized network user.
 7. The processing device of claim 1, whereinthe management information includes: source-of-rights informationindicating whether a user's access authorizations were granted byanother user, and if so, which user granted that access authorization.8. A method comprising: receiving a request from a first user, whereinthe request includes a request to alter access rights of a second userto a network resource; establishing authorization of the first user torequest access to the network resource based on information included ina directory services database; retrieving management informationassociated with the first user and the second user from non-volatilestorage; determining whether a supervisor-subordinate relationshipexists between the first user and the second user based on themanagement information associated with the first user and the seconduser; and altering the access rights of the second user to the networkresource at least partly in response to determining that thesupervisor-subordinate relationship between the first user and thesecond user exists.
 9. The method of claim 8, further comprising:subsequent to altering the access rights of the second user, determiningthat the supervisor-subordinate relationship has been terminated; andreverting the access rights of the second user to access the networkresource to a pre-altered state in response to termination of thesupervisor-subordinate relationship.
 10. The method of claim 8, furthercomprising: subsequent to altering the access rights of the second user,determine that the supervisor-subordinate relationship has beenterminated; and in response to termination of the supervisor-subordinaterelationship, leaving the access rights of the second user to thenetwork resource unchanged.
 11. The method of claim 8, wherein: alteringthe access rights of the second user includes granting access to thenetwork resource.
 12. The method of claim 11, further comprisinglimiting granted access rights of the second user to a subset of theaccess rights possessed by the first user.
 13. The method of claim 8,further comprising: identifying, based on the management information,which of a plurality of non-duplicated directory services databases isto be queried to obtain information indicating whether a requestor is anauthorized network user.
 14. The method of claim 8, wherein themanagement information includes: role information indicating rolesassigned to the first user and the second user.
 15. A system comprising:a plurality of directory services databases; a processing deviceincluding a processor and associated memory; non-volatile storageconfigured to store management information including informationidentifying supervisor-subordinate relationships among users; theprocessing device configured to: receive a request from a first user,wherein the request includes a request to alter access rights of asecond user to a network resource; establish authorization of the firstuser to request access to the network resource based on informationincluded in one or more of the plurality of directory servicesdatabases; retrieve management information associated with the firstuser and the second user from the non-volatile storage; determinewhether a supervisor-subordinate relationship exists between the firstuser and the second user based on the management information associatedwith the first user and the second user; and alter the access rights ofthe second user to the network resource at least partly in response todetermining that the supervisor-subordinate relationship between thefirst user and the second user exists.
 16. The system of claim 15,wherein the processing device is further configured to: subsequent toaltering the access rights of the second user, determine that thesupervisor-subordinate relationship has been terminated; and revertingthe access rights of the second user to a pre-altered state in responseto termination of the supervisor-subordinate relationship.
 17. Thesystem of claim 15, wherein the processing device is further configuredto: subsequent to altering the access rights of the second user,determine that the supervisor-subordinate relationship has beenterminated; and in response to termination of the supervisor-subordinaterelationship, leave the access rights of the second user to the networkresource unchanged.
 18. The system of claim 15, wherein: altering theaccess rights of the second user includes granting access to the networkresource.
 19. The system of claim 18, wherein the processing devicelimits the access rights granted to the second user to a subset ofaccess rights possessed by the first user.
 20. The system of claim 15,wherein the processing device is further configured to: identify, basedon the management information, which of a plurality of non-duplicateddirectory services databases is to be queried to obtain informationindicating whether a requestor is an authorized network user.